IN THE CLAIMS : 

Claims 3, 14, 24, 26, and 27 are amended herein. 
Claims 1-2 and 5 are canceled. Claim 28 is added. 
All pending claims are presented below. 

1-2. (Canceled) 

3. (Currently Amended) The method of claim [[1]] 6 wherein tfee optimizing 
step the decryption loop comprises performing at least one technique from the group of 
techniques consisting of constant folding, copy propagation, non-obvious dead code 
elimination, code motion, peephole optimization, abstract interpretation, instruction 
specialization, and control flow graph reduction. 

4. (Original) The method of claim 3 wherein at least two of said techniques are 
combined synergistically. 

5. (Canceled) 

6. (Previously Presented) A computer-implemented method for determining 
whether computer code contains malicious code, said method comprising the steps of: 

identifying computer code suspected of currently containing malicious code, 
the computer code having a decryption loop and a body; 

optimizing the decryption loop to produce optimized loop code; 

performing a malicious code detection procedure on the optimized loop code; 

optimizing the body to produce optimized body code; 

subjecting the optimized body code to a malicious code detection protocol; 
and 
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responsive to the malicious code detection procedure detecting malicious code 
in the optimized loop code or the malicious code detection protocol 
detecting malicious code in the optimized body code, declaring a 
confirmation that the computer code contains malicious code. 

7. (Original) The method of claim 6 wherein the malicious code detection 
procedure is a procedure from the group of procedures consisting of pattern matching, 
emulation, checksumming, heuristics, tracing, and algorithmic scanning. 

8. (Original) The method of claim 6 wherein the malicious code detection 
protocol is a protocol from the group of protocols consisting of pattern matching, emulation, 
checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

9. (Original) The method of claim 6 wherein the step of optimizing the body 
comprises using at least one output from the group of steps consisting of optimizing the 
decryption loop and performing a malicious code detection procedure on the optimized loop 
code. 

10. (Original) The method of claim 6 wherein, when the step of performing a 
malicious code detection procedure on the optimized loop code indicates the presence of 
malicious code in the computer code, the steps of optimizing the body and subjecting the 
optimized body code to a malicious code detection protocol are aborted. 

11. (Original) The method of claim 6 further comprising the additional step of, 
after the step of performing a malicious code detection procedure on the optimized loop 
code, revealing an encrypted body. 

12. (Original) The method of claim 1 1 wherein the step of revealing an 
encrypted body comprises emulating the optimized loop code. 
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13. (Original) The method of claim 1 1 wherein the step of revealing an encrypted 
body comprises applying a key gleaned from the optimized loop code. 

14. (Currently Amended) The method of claim [[1]] 6, wherein optimizing the 
computer code decryption loop to produce optimized loop code comprises: 

performing a forward pass operation; 
performing a backward pass operation; 
performing a control flow graph reduction; and 
iterating the above three steps a plurality of times. 

15. (Original) The method of claim 14 wherein the iteration of the three steps 
stops after either: 

a preselected number of iterations; or 

observing that no optimizations of the computer code were performed in the 
most recent iteration. 

16. (Original) The method of claim 14 further comprising the step of performing 
a code motion procedure, wherein the four steps are iterated a plurality of times. 

17. (Previously Presented) The method of claim 14 wherein the forward pass 
operation comprises one or more steps from the set consisting of: 

peephole optimization; 
constant folding; 
copy propagation; 

forward computations related to abstract interpretation; and 
instruction specialization. 
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18. (Previously Presented) The method of claim 14 wherein the backward pass 
operation comprises one or more steps from the set consisting of backward computations 
related to abstract interpretation and local dead code elimination. 

19. (Original) The method of claim 18 wherein the backward pass operation 
comprises the additional step of global dead code elimination. 

20-23. (Canceled) 

24. (Currently Amended) A computer-readable storage medium containing 
executable computer program instructions for determining whether computer code contains 
malicious code, said computer program instructions performing the steps of: 

identifying computer code suspected of currently containing malicious code; 
optimizing the identified computer code to produce optimized code; 
subjecting the optimized code to a malicious code detection protocol; and 
responsive to the malicious code detection protocol detecting malicious code 

in the optimized code, declaring a confirmation that the computer code 

contains malicious code 
identifying computer code suspected of currently containing malicious code, 

the computer code having a decryption loop and a body; 
optimizing the decryption loop to produce optimized loop code; 
performing a malicious code detection procedure on the optimized loop code; 
optimizing the body to produce optimized body code; 
subjecting the optimized body code to a malicious code detection protocol; 

and 
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responsive to the malicious code detection procedure detecting malicious code 
in the optimized loop code or the malicious code detection protocol 
detecting malicious code in the optimized body code, declaring a 
confirmation that the computer code contains malicious code . 

25. (Original) The computer-readable medium of claim 24 wherein the malicious 
code detection protocol is a protocol from the group of protocols consisting of pattern 
matching, emulation, checksumming, heuristics, tracing, X-raying, and algorithmic scanning. 

26. (Currently Amended) The computer-readable medium of claim 24 wherein 
the optimizing step the decryption loop comprises performing at least one technique from the 
group of techniques consisting of constant folding, copy propagation, non-obvious dead code 
elimination, code motion, peephole optimization, abstract interpretation, instruction 
specialization, and control flow graph reduction. 

27. (Currently Amended) The method of claim 6, further comprising A method 
for determining whether computer code contains malicious code, said method comprising the 

performing a dead code elimination procedure on the computer code; 
noting the amount of dead code eliminated during the dead code elimination 
procedure; and 

when the amount of dead code eliminated during the dead code elimination 
procedure exceeds a preselected dead code threshold, declaring a 
suspicion of malicious code in the computer code. 

28. (New) The method of claim 6 wherein the malicious code detection 
procedure comprises emulating the optimized loop code. 



6 



142 081 r i 244 4 I 



